.app: secure by design

The last days of unencrypted HTTP

It’s accepted wisdom that every website should be served over a secure HTTPS (SSL) connection. HTTPS encrypts browser traffic, protecting your customer’s passwords, credit card numbers, and other personal information from eavesdroppers and hackers. In recent years, the price of SSL certificates has plummeted, and the advent of free “Let’s Encrypt” certificates means you no longer need to spend a fortune — or anything at all — to assure your site’s visitors that their data is safe.

All of this will come as no surprise to most Porkbun customers, who by virtue of registering their domains at the Bun find themselves in the vanguard of the push towards a totally-secure web. Porkbun was the first registrar to provide free SSL certificates to every customer on every domain without any renewal fee or upcharge.

Unencrypted HTTP isn’t just unfashionable, it’s about to go the way of the Dodo. As of April 2018, over 70% of all website traffic is now served over HTTPS, up almost 10% from a year ago. Google recently announced that starting in July of 2018, any site not served over HTTPS will be marked with a large grey “not secure” icon in Chrome’s URL bar — not exactly instilling of consumer confidence.

 

How insecure sites will appear in Chrome after July 2018. Source: Chromium Blog

 

.app and HTTPS

With the release of Google Registry’s new .app domain extension, Google has taken their commitment to a secure web a step further by enforcing mandatory HTTPS across all .app domains. That means if you register a .app domain, you can still host a site over unencrypted HTTP — but no modern browser will load it.

How did Google achieve this feat? Well, it just so happens that Google maintains a special list known as the HSTS Preload List. Anyone can submit their site to the list, which tells every modern browser: “insecure HTTP is disabled for this domain.” What makes .app unique is the entire .app zone has already been added to the HSTS Preload List, no exceptions allowed.

Thus, if you try to load a .app site over unencrypted HTTP, your browser will refuse, instead displaying an error message that can’t be bypassed. This protects all .app domains from a wide swath of so-called “man-in-the-middle” attacks wherein an eavesdropper intercepts traffic for nefarious purposes. It also improves site loading time as the browser won’t even try to connect to the unencrypted channel first, skipping directly to HTTPS.

.app and Porkbun

.App’s HTTPS requirement can seem scary, but compliance is easy at Porkbun. If you’re hosting your .app site via our site builder or shared hosting package, HTTPS is automatic; you don’t have to do a thing! Want to host your site elsewhere? You can still use your free Let’s Encrypt certificate with a 3rd-party hosting company. For more info, check out our article How to use your free SSL certificate. Already purchased a traditional certificate? That works, too.

Still have questions about .app, Let’s Encrypt, or HSTS Preload? Email us at support@porkbun.com

Major price increases on selected domains?

We’ve been contacted by a number of customers confused about rumored price increases on Uniregistry Corporation-owned domain extensions. This article seeks to clear up misconceptions and give our customers the information they need to make informed decisions about impending price increases.

Q: Are prices dramatically increasing? Should I be worried?

A: Yes, but only for 12 TLDs and not until September 8, 2017. You should be concerned if you own domains with any of the following Uniregistry Corporation-owned extensions:

.audio
.blackfriday
.christmas
.diet
.flowers
.guitars
.hiphop
.hosting
.juegos
.property
.sexy
.tattoo

Our wholesale cost is slated to increase at least $10 on each of these extensions and in some cases our cost at the registry will increase over $100. Most notably .hosting and .juegos will see a wholesale price increase that will result in those domains being sold for over $300/year. We’ve yet to determine our final retail prices.

In addition, we expect a few dollars per year increase on:
.click
.link
.pics
.help

 

Q: Ack! I own domains in those TLDs! How do I avoid paying the increased price?

A: Since our costs are going up, there’s not a lot we can do after September 8th. However, there is something you can do now: add multiple years of registration to your domain before the price goes up. To do so, click the little circle arrow icon next to your domain in Domain Management:

…and click “Renew Now” to add a maximum of ten years of registration at today’s pre-hike rates.

 

Q: How do other registrars feel about this?

A: We’re already seeing the impact of this price increase ripple across the industry. Last week, GoDaddy took the extraordinary step of boycotting Uniregistry domains, prohibiting transfers in and new registrations of Uniregistry domains in an apparent protest against the price increases. We have no plans to drop support for these domain extensions and will mark up Uniregistry domains as little as possible so as to reduce the impact to our customers.

 

Q: Do I need to worry about other TLDs following suit?

A: We don’t think so. We haven’t heard of any other registries planning dramatic price increases. If anything, the prevailing trend has been a general decrease in prices across the industry and frequent discounts over a wide swath of TLDs.

We will continue to keep our customers apprised of any updates to this story as it unfolds.

Why Porkbun is actually the best deal around

Why choose Porkbun?

In a word: value. Not only do we have some of the lowest prices around, SSL and WHOIS Privacy (essential features for keeping eavesdroppers and spammers away from your domain) are included free with every Porkbun domain.

Plus, at Porkbun, you get free email forwarding, free web hosting through our Weebly-powered site builder, and free top-notch tech support. We think we’re the best deal around, and we hope you’ll agree!

Changes at Porkbun to Support ICANN’s new transfer policy

Recently, the Internet Corporation of Assigned Names & Numbers, aka ICANN, updated their policy previously known as the IRTP and now known simply as the Transfer Policy. Generally, these policy changes affect what happens any time the given name, organization, or email address associated with a Porkbun customer’s domain is updated; WHOIS privacy is turned on or off; or domains are transferred to another registrar.

The new Transfer Policy will go into effect on December 1, 2016. To comply with these changes, Porkbun is updating its Domain Name Registration Agreement and Terms of Service in a way designed to impact our customers as little as possible.

The new language allows Porkbun and its privacy service, Private by Design LLC, to act as your “Designated Agent” when you use the WHOIS Privacy on/off button in the Domain Management console. In case you haven’t used the feature before, if you click the grey glasses icon in your Domain Management console, WHOIS Privacy is activated, which shields your personal information from being published online. The changes to our policies will allow us to continue to offer this free, “one-click” privacy solution.

Additionally, we have included an explicit opt-out of the 60 day transfer lock imposed by ICANN’s policy following changes to the registered name holder’s information. In the case of removing WHOIS Privacy, for example, registrants are often required to discontinue using privacy prior to an inter-registrar transfer. We believe that locking a domain after WHOIS privacy has been removed may prevent registrants from being able to freely move their domains to the registrar of their choice. Opting out of this lock will not keep you from locking your domain after any such change, as you will still be able to lock/unlock your domain from within Porkbun’s Domain Management console.

Finally, any change to the listed registered name holder’s email, business name, or name found in Porkbun’s “Your Account” area will cause additional emails to be sent to confirm the change. Not responding to such messages will delay the requested changes.

Specific changes to language

In order to accommodate these changes to ICANN’s Transfer Policy while minimally affecting your experience using Porkbun.com to manage your domains, we’ve made the following change to our Domain Name Registration Agreement (DNRA):

You agree that Porkbun has the authority to act as your Designated Agent as defined in ICANN’s Transfer Policy. As your Designated Agent, Porkbun will maintain the right to approve requests to modify registrant information and changes in domain ownership, including the use of Porkbun’s WHOIS privacy service provider. You also expressly agree to opt out of the 60 day inter-registrar transfer lock following any Material Change of registrant information or domain ownership, as defined in ICANN’s Transfer Policy.

Private by Design LLC’s Terms of Service has also been updated to reflect the change:

You agree that Porkbun’s Domain Name Privacy Service [Private by Design] has the authority to act as your Designated Agent as defined in ICANN’s Transfer Policy. As your Designated Agent, Domain Privacy Service [Private by Design] will maintain the right to approve requests to modify registrant information and changes in domain ownership, including enabling and disabling WHOIS privacy. You also expressly agree to opt out of the 60 day inter-registrar transfer lock following any Material Change of registrant information or domain ownership, as defined in ICANN’s Transfer Policy.